1. Home
  2. Cisco Systems
  3. 1841 & DNS Resolve Problems

1841 & DNS Resolve Problems

We just swapped out a 1605 with a 1841 Router. Basically I copied the working configuration from the 1605 to 1841. Except for some small differences, the Router comes up and the WIC-1DSU-T1-V2 syncs OK.

My issue is when a NATed PC attempts URL such as

formatting link
nothing comes up. However, the IP can be pinged.

I'll certain I missed something but from all my reading I have no joy yet.

Below is the current config with important stuff masked:

Thanks, Bart

! ! Last configuration change at 10:43:40 PDT Mon Feb 5 2007 ! version 12.3(8)T8 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption service compress-config ! hostname ICRouter ! boot-start-marker boot-end-marker ! logging buffered 16000 debugging enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx enable password pass1 ! clock timezone PDT -7 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip cef ! ! ip tcp synwait-time 15 ip dhcp excluded-address 192.168.3.10 ip dhcp excluded-address 192.168.3.1 192.168.3.10 ip dhcp excluded-address 192.168.3.20 192.168.3.254 ! ip dhcp pool Guest network 192.168.3.0 255.255.255.0 default-router 192.168.3.10 dns-server 4.2.2.1 198.6.1.4 lease 0 12 ! ! ip tftp source-interface FastEthernet0/1 no ip domain lookup ip name-server 4.2.2.1 ip name-server 198.6.1.4 no ftp-server write-enable ! ! process-max-time 150 ! class-map match-all VOIP match access-group name VOIP class-map match-all ELSE match access-group name ELSE ! ! policy-map QOS class VOIP bandwidth 1374 queue-limit 16 class ELSE bandwidth 170 class class-default fair-queue ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description DMZ Interface bandwidth 10000 ip address 192.168.4.254 255.255.255.0 secondary ip address 67.xxx.128.65 255.255.255.224 ip access-group DMZ-ACCESS in no ip unreachables ip nat inside duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 description LAN Interface bandwidth 10000 ip address 192.168.3.10 255.255.255.0 secondary ip address 192.168.2.10 255.255.255.0 ip access-group LAN-ACCESS in no ip proxy-arp ip nat inside duplex auto speed auto no cdp enable no mop enabled ! interface Serial0/0/0 description Internet Interface bandwidth 1544 ip address xx.xx.xx.xx 255.255.255.252 ip access-group OUT_IN in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside max-reserved-bandwidth 100 service-policy output QOS encapsulation ppp load-interval 30 traffic-shape rate 1500000 187500 0 1000 no cdp enable ! router rip redistribute connected network 67.0.0.0 network 192.168.2.0 ! no ip classless ip route 0.0.0.0 0.0.0.0 67.94.231.181 ip route 10.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 213.22.18.141 255.255.255.255 Null0 no ip http server ip nat inside source list NAT interface Serial0/0/0 overload ip nat inside source static tcp 192.168.2.131 5900 67.xxx.128.66 5900 extendable ip nat inside source static tcp 192.168.2.131 6502 67.xxx.128.66 6502 extendable ip nat inside source static tcp 192.168.2.242 5900 67.xxx.128.72 5900 extendable ip nat inside source static tcp 192.168.2.242 6502 67.xxx.128.72 6502 extendable ip nat inside source static tcp 192.168.2.245 389 67.xxx.128.73 389 extendable ip nat inside source static tcp 192.168.2.245 4661 67.xxx.128.73 4661 extendable ip nat inside source static tcp 192.168.2.245 4662 67.xxx.128.73 4662 extendable ip nat inside source static udp 192.168.2.245 4665 67.xxx.128.73 4665 extendable ip nat inside source static udp 192.168.2.245 4672 67.xxx.128.73 4672 extendable ip nat inside source static tcp 192.168.2.245 5900 67.xxx.128.73 5900 extendable ip nat inside source static tcp 192.168.2.245 6502 67.xxx.128.73 6502 extendable ip nat inside source static udp 192.168.2.245 24375 67.xxx.128.73

24375 extendable ip nat inside source static tcp 192.168.2.245 61411 67.xxx.128.73 61411 extendable ip nat inside source static tcp 192.168.2.231 5900 67.xxx.128.74 5900 extendable ip nat inside source static tcp 192.168.2.231 6502 67.xxx.128.74 6502 extendable ip nat inside source static tcp 192.168.2.232 5900 67.xxx.128.75 5900 extendable ip nat inside source static tcp 192.168.2.232 6502 67.xxx.128.75 6502 extendable ip nat inside source static tcp 192.168.2.233 5900 67.xxx.128.76 5900 extendable ip nat inside source static tcp 192.168.2.233 6502 67.xxx.128.76 6502 extendable ip nat inside source static tcp 192.168.2.234 5900 67.xxx.128.77 5900 extendable ip nat inside source static tcp 192.168.2.234 6502 67.xxx.128.77 6502 extendable ip nat inside source static tcp 192.168.2.235 5900 67.xxx.128.78 5900 extendable ip nat inside source static tcp 192.168.2.235 6502 67.xxx.128.78 6502 extendable ip nat inside source static tcp 192.168.2.236 5900 67.xxx.128.79 5900 extendable ip nat inside source static tcp 192.168.2.236 6502 67.xxx.128.79 6502 extendable ip nat inside source static tcp 192.168.2.238 5900 67.xxx.128.80 5900 extendable ip nat inside source static tcp 192.168.2.238 6502 67.xxx.128.80 6502 extendable ip nat inside source static tcp 192.168.2.246 80 67.xxx.128.81 80 extendable ip nat inside source static tcp 192.168.2.246 5900 67.xxx.128.81 5900 extendable ip nat inside source static tcp 192.168.2.241 5900 67.xxx.128.82 5900 extendable ip nat inside source static tcp 192.168.2.241 6502 67.xxx.128.82 6502 extendable ip nat inside source static tcp 192.168.2.182 5900 67.xxx.128.83 5900 extendable ip nat inside source static tcp 192.168.2.182 6502 67.xxx.128.83 6502 extendable ip nat inside source static tcp 192.168.2.248 80 67.xxx.128.85 80 extendable ip nat inside source static tcp 192.168.2.248 5900 67.xxx.128.85 5900 extendable ip nat inside source static tcp 192.168.2.237 80 67.xxx.128.87 80 extendable ip nat inside source static tcp 192.168.2.237 5900 67.xxx.128.87 5900 extendable ip nat inside source static tcp 192.168.2.229 5900 67.xxx.128.88 5900 extendable ip nat inside source static tcp 192.168.2.229 6502 67.xxx.128.88 6502 extendable ip nat inside source static tcp 192.168.2.134 80 67.xxx.128.89 80 extendable ip nat inside source static tcp 192.168.2.134 5900 67.xxx.128.89 5900 extendable ip nat inside source static tcp 192.168.2.134 6502 67.xxx.128.89 6502 extendable ip nat inside source static tcp 192.168.2.101 80 67.xxx.128.90 80 extendable ip nat inside source static tcp 192.168.2.101 5900 67.xxx.128.90 5900 extendable ip nat inside source static tcp 192.168.2.101 6502 67.xxx.128.90 6502 extendable ! ip access-list standard ELSE permit 67.xxx.128.89 permit 67.xxx.128.88 permit 67.xxx.128.91 permit 67.xxx.128.90 permit 67.xxx.128.93 permit 67.xxx.128.92 permit 67.xxx.128.94 permit 67.xxx.128.81 permit 67.xxx.128.80 permit 67.xxx.128.83 permit 67.xxx.128.82 permit 67.xxx.128.85 permit 67.xxx.128.84 permit 67.xxx.128.87 permit 67.xxx.128.86 permit 67.xxx.128.73 permit 67.xxx.128.72 permit 67.xxx.128.75 permit 67.xxx.128.74 permit 67.xxx.128.77 permit 67.xxx.128.76 permit 67.xxx.128.79 permit 67.xxx.128.78 permit 67.xxx.128.66 permit 67.xxx.128.71 permit 67.xxx.128.70 permit 67.xx.xx.xx ip access-list standard MANAGE permit 63.206.109.173 permit 75.83.146.219 permit 194.65.147.166 permit 68.65.67.161 permit 62.48.131.101 permit 192.168.2.131 permit 192.168.2.134 permit 68.64.153.101 ip access-list standard VOIP permit 67.xxx.128.94 permit 67.xxx.128.67 permit 67.xxx.128.69 permit 67.xxx.128.68 ! ip access-list extended DMZ-ACCESS remark ACL to control traffic from the DMZ to the Internal Network and the Internet permit udp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 135 permit udp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 range netbios-ns netbios-ss permit udp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 445 permit tcp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 135 permit tcp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 139 permit tcp 67.xxx.128.64 0.0.0.31 192.168.2.0 0.0.0.255 eq 445 permit ip 67.xxx.128.64 0.0.0.31 192.168.4.0 0.0.0.255 permit ip 192.168.4.0 0.0.0.255 67.xxx.128.64 0.0.0.31 deny udp any any range netbios-ns netbios-ss deny udp any any eq 445 deny udp any any eq 135 deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 1434 deny tcp any eq 1434 any deny udp any any eq 1900 permit ip any any ip access-list extended LAN-ACCESS remark ACL to control traffic from the Internal Network to the DMZ and the Internet permit udp 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 eq 135 permit udp 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 range netbios-ns netbios-ss permit udp 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 eq 445 permit tcp 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 eq 139 permit tcp 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 eq 445 deny udp any any eq 135 deny udp any any range netbios-ns netbios-ss deny udp any any eq 445 deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 445 deny tcp any any eq 1434 deny tcp any eq 1434 any deny udp any any eq 1900 remark Rules for Guest PC's permit tcp 192.168.3.0 0.0.0.255 any eq www permit tcp 192.168.3.0 0.0.0.255 any eq 443 permit tcp 192.168.3.0 0.0.0.255 any range ftp-data ftp permit tcp 192.168.3.0 0.0.0.255 any eq smtp permit tcp 192.168.3.0 0.0.0.255 any eq pop3 permit ip any any ip access-list extended NAT deny ip 192.168.2.0 0.0.0.255 67.xxx.128.64 0.0.0.31 permit ip 192.168.2.0 0.0.0.255 any permit ip 192.168.3.0 0.0.0.255 any permit ip host 192.168.4.11 any ip access-list extended OUT_IN permit tcp any gt 1023 67.xxx.128.64 0.0.0.31 eq 6502 permit tcp any gt 1023 67.xxx.128.64 0.0.0.31 eq 5900 permit tcp any gt 1023 host 67.xxx.128.67 eq smtp permit tcp any gt 1023 host 67.xxx.128.67 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.67 eq pop3 permit tcp any gt 1023 host 67.xxx.128.67 eq www permit tcp any gt 1023 host 67.xxx.128.67 eq 10000 permit tcp any gt 1023 host 67.xxx.128.67 eq 443 permit tcp any gt 1023 host 67.xxx.128.67 eq 3306 permit udp any gt 1023 host 67.xxx.128.67 eq 2427 permit udp any gt 1023 host 67.xxx.128.67 eq 5038 permit udp any gt 1023 host 67.xxx.128.67 eq 2727 permit udp any gt 1023 host 67.xxx.128.67 eq 4569 permit tcp any gt 1023 host 67.xxx.128.67 eq 5038 permit tcp any gt 1023 host 67.xxx.128.67 eq 5432 permit tcp any gt 1023 host 67.xxx.128.67 eq 4520 permit tcp any gt 1023 host 67.xxx.128.67 eq 1314 permit tcp any gt 1023 host 67.xxx.128.67 eq 2727 permit udp any gt 1023 host 67.xxx.128.67 eq 5036 permit udp any gt 1023 host 67.xxx.128.67 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.67 range 10000 20000 permit tcp any gt 1023 host 67.xxx.128.68 eq smtp permit tcp any gt 1023 host 67.xxx.128.68 eq 5038 permit tcp any gt 1023 host 67.xxx.128.68 eq 5432 permit tcp any gt 1023 host 67.xxx.128.68 eq 4520 permit tcp any gt 1023 host 67.xxx.128.68 eq 1314 permit tcp any gt 1023 host 67.xxx.128.68 eq 2727 permit tcp any gt 1023 host 67.xxx.128.68 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.68 eq pop3 permit tcp any gt 1023 host 67.xxx.128.68 eq www permit tcp any gt 1023 host 67.xxx.128.68 eq 10000 permit tcp any gt 1023 host 67.xxx.128.68 eq 443 permit tcp any gt 1023 host 67.xxx.128.68 eq 3306 permit udp any gt 1023 host 67.xxx.128.68 eq 2427 permit udp any gt 1023 host 67.xxx.128.68 eq 4569 permit udp any gt 1023 host 67.xxx.128.68 eq 5038 permit udp any gt 1023 host 67.xxx.128.68 eq 5036 permit udp any gt 1023 host 67.xxx.128.68 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.68 range 10000 20000 permit tcp any gt 1023 host 67.xxx.128.69 eq smtp permit tcp any gt 1023 host 67.xxx.128.69 eq 5038 permit tcp any gt 1023 host 67.xxx.128.69 eq 5432 permit tcp any gt 1023 host 67.xxx.128.69 eq 4520 permit tcp any gt 1023 host 67.xxx.128.69 eq 1314 permit tcp any gt 1023 host 67.xxx.128.69 eq 2727 permit tcp any gt 1023 host 67.xxx.128.69 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.69 eq www permit tcp any gt 1023 host 67.xxx.128.69 eq pop3 permit tcp any gt 1023 host 67.xxx.128.69 eq 10000 permit tcp any gt 1023 host 67.xxx.128.69 eq 443 permit tcp any gt 1023 host 67.xxx.128.69 eq 3306 permit udp any gt 1023 host 67.xxx.128.69 eq 5038 permit udp any gt 1023 host 67.xxx.128.69 eq 2427 permit udp any gt 1023 host 67.xxx.128.69 eq 4569 permit udp any gt 1023 host 67.xxx.128.69 eq 5036 permit udp any gt 1023 host 67.xxx.128.69 range 10000 20000 permit udp any gt 1023 host 67.xxx.128.69 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.70 eq 2427 permit udp any gt 1023 host 67.xxx.128.70 eq 4569 permit udp any gt 1023 host 67.xxx.128.70 eq 5036 permit udp any gt 1023 host 67.xxx.128.70 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.70 range 10000 20000 permit tcp any gt 1023 host 67.xxx.128.70 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.70 eq smtp permit tcp any gt 1023 host 67.xxx.128.70 eq www permit tcp any gt 1023 host 67.xxx.128.70 eq pop3 permit tcp any gt 1023 host 67.xxx.128.70 eq nntp permit tcp any gt 1023 host 67.xxx.128.70 eq 443 permit tcp any gt 1023 host 67.xxx.128.70 eq 3000 permit tcp any gt 1023 host 67.xxx.128.70 eq 3306 permit udp any gt 1023 host 67.xxx.128.71 eq 2427 permit udp any gt 1023 host 67.xxx.128.71 eq 4569 permit udp any gt 1023 host 67.xxx.128.71 eq 5036 permit udp any gt 1023 host 67.xxx.128.71 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.71 range 10000 20000 permit tcp any gt 1023 host 67.xxx.128.71 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.71 eq smtp permit tcp any gt 1023 host 67.xxx.128.71 eq www permit tcp any gt 1023 host 67.xxx.128.71 eq pop3 permit tcp any gt 1023 host 67.xxx.128.71 eq nntp permit tcp any gt 1023 host 67.xxx.128.71 eq 443 permit tcp any gt 1023 host 67.xxx.128.71 eq 3000 permit tcp any gt 1023 host 67.xxx.128.71 eq 3306 permit udp any gt 1023 host 67.xxx.128.73 eq 4662 permit tcp any gt 1023 host 67.xxx.128.73 eq 4662 permit udp any gt 1023 host 67.xxx.128.73 eq 4672 permit tcp any gt 1023 host 67.xxx.128.73 eq 4711 permit udp any gt 1023 host 67.xxx.128.73 eq 24375 permit tcp any gt 1023 host 67.xxx.128.73 eq 61411 permit tcp any gt 1023 host 67.xxx.128.73 eq 389 permit udp any gt 1023 host 67.xxx.128.73 eq 34527 permit tcp any gt 1023 host 67.xxx.128.73 eq 44587 permit tcp any gt 1023 host 67.xxx.128.81 eq www permit tcp any gt 1023 host 67.xxx.128.84 eq www permit tcp any gt 1023 host 67.xxx.128.85 eq www permit tcp any gt 1023 host 67.xxx.128.86 eq www permit tcp any gt 1023 host 67.xxx.128.86 eq 443 permit tcp any gt 1023 host 67.xxx.128.86 eq 5900 permit tcp any gt 1023 host 67.xxx.128.89 eq www permit tcp any gt 1023 host 67.xxx.128.91 eq smtp permit tcp any gt 1023 host 67.xxx.128.91 eq www permit tcp any gt 1023 host 67.xxx.128.91 eq 5900 permit tcp any gt 1023 host 67.xxx.128.91 eq 6502 permit tcp any gt 1023 host 67.xxx.128.91 eq 3306 permit tcp any gt 1023 host 67.xxx.128.94 eq smtp permit tcp any gt 1023 host 67.xxx.128.94 range ftp-data 22 permit tcp any gt 1023 host 67.xxx.128.94 eq pop3 permit tcp any gt 1023 host 67.xxx.128.94 eq www permit tcp any gt 1023 host 67.xxx.128.94 eq 10000 permit tcp any gt 1023 host 67.xxx.128.94 eq 443 permit tcp any gt 1023 host 67.xxx.128.94 eq 3306 permit udp any gt 1023 host 67.xxx.128.94 eq 2427 permit udp any gt 1023 host 67.xxx.128.94 eq 5038 permit udp any gt 1023 host 67.xxx.128.94 eq 2727 permit udp any gt 1023 host 67.xxx.128.94 eq 4569 permit tcp any gt 1023 host 67.xxx.128.94 eq 5038 permit tcp any gt 1023 host 67.xxx.128.94 eq 5432 permit tcp any gt 1023 host 67.xxx.128.94 eq 4520 permit tcp any gt 1023 host 67.xxx.128.94 eq 1314 permit tcp any gt 1023 host 67.xxx.128.94 eq 2727 permit udp any gt 1023 host 67.xxx.128.94 eq 5036 permit udp any gt 1023 host 67.xxx.128.94 range 5060 5069 permit udp any gt 1023 host 67.xxx.128.94 range 10000 20000 permit ip host 194.65.147.166 any permit ip host 62.48.131.101 any permit ip host 68.64.153.101 any permit ip host 75.83.146.219 any permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit udp any eq ntp any ! logging trap warnings logging 67.xxx.128.66 access-list 10 permit 67.xxx.128.66 dialer-list 1 protocol ip permit snmp-server community public RO snmp-server community pass RW 10 snmp-server location Buena_Park snmp-server enable traps tty no cdp run ! control-plane ! ! line con 0 password pass1 transport output all line aux 0 line vty 0 4 access-class MANAGE in password pass1 login transport input all transport output all ! ntp clock-period 17042193 ntp source Serial0/0/0 ntp master 14 ntp server 128.9.176.30 end
Reply to
Bart Fisher
Loading thread data ...

Wow, thats quite the ACL..

You complain about DNS being blocked, but ICMP working..

Your ACL doesn't take into account any DNS?

...

.... (snip a bunch like the .67 entry).

But I don't see any permits for DNS anywhere in the whole list, which means that by default you are blocking DNS in your ACL.

Does it work if you unhook your network, undo the ACL on the Internet interface, and plug your laptop/workstation directly into it?

You may want to investigate CBAC, seems like it would be alot easier in your case for what you want to do.

Reply to
Doug McIntyre

You were right, removing ACL from Serial and magically started working. What can I do to keep the ACL and have it work until my cisco guy fixes it the right way?

Thanks

Bart

Reply to
Bart Fisher

ip access-list extended OUT_IN permit udp any any eq domain permit tcp any any eq domain

Should add these two lines onto the end of this ACL (ie. not replacing it, just adding onto it). DNS does use tcp 53 sometimes in some circumstances, but so many people firewall it off, people tend to make sure that case usually doesn't come up anyway.

Reply to
Doug McIntyre

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.